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MEMORANDUM FOR: Chief, Audit Staff, OIG 
FROM: Thomas B. Yale 
Director of Finance 
SUBJECT: Report of Audit of the Office of Data Processing 


as of 30 Jume 1978 


1. The position of the Office of Finance is not to adopt the audit 
recommendation as stated in paragraphs 33, 34, and 35 of subject audit 
report. Our position is based on the propriety of obligations as they 
relate to the establishment of liabilities that far exceed authorized 
budgets. In as much as this Agency's appropriation is governed by one 
year money we feel the establishment of liabilities covering in some 
instances contracts encompassing a period of six years is not sound. 

The wording used within contracts in question, Alternate Purchase Plans 
(APP) further draws. attention to the questionable propriety. These contracts 
are written giving the Agency many escapes with wording such as "No funds are 
currently legally obligated." "....subject to the availability funds....," 
"No legal liability on the part of the Govermaet for payment of any money 
in excess of that amount currently obligated shall arise unless and until 
funds are made available to the contracting officer....'' It should be 
noted, we have no problem with the implied ownership and in fact the APP 
contracts acknowledge that throughout the period of the agreements or until 
all equipment is returned all risk and cost of owmership shall be on the 
Agency. The very words “or until all equipment is returned” implies owner- 
ship remains with the vendor until we have paid in full. What we do fail 
to see is how the adoption of the audit recommendation strengthens the 
Agency financial picture or in fact provides better property accountability 
_ controls, As a matter of interest we have checked with our counterparts 
in other agencies to determine how they treat such contracts, Each advised 
they do not capitalize assets and establish liabilities when they implesent 
Similar contracts. Air Force, for example, uses one year OGM money and they 
too feel that to set up liabilities extending beyond authorized obligation 
authorities is suspect. 


2. The GAO report "Accounting for Automatic Data Processing Costs 
Need Improvement" B-115369 dated 7 February 1978, acknowledges that the 
reason for capitalizing the purchase price of Automatic Data Processing 
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MEMORANDUM FOR: Director of Finance 


THROUGH ; Inspector General : 
, Audit Staff, OIG 
SUBJECT +; Report of Audit of the Office of 


Data Processing as of 30 June 1978(S) 


1. (U) Paragraph 3 below contains a request for your 
action. 


2. (U) The following paragraphs are extracted from 
subject Report of Audit: 


‘Agency Assets and Liabilities Understated 


—_— Se ee ce eee ee me er eee ee ee ee ee ee ee ee ee ee i ee 


33. (S) The general ledger account 1723, Property in 
Use~Other, values ODP property at $10.8 million. However, the 
eventual total cost of owned equipment currently in the two 
25X1A computer centers will be MME i ltion. The discrepancy between 
the actual value of owned equipment and the amount currently 
shown in the general ledgers is due to the current policy of 
not recording the cost of equipment until it is conpletely 
paid for. ; 
25X1A 
34. (S) The Agency has alternate annual Payment contracts 
with the International Business Machines Corporation (IBM), 
and several third party leasing firms for : 
the purchase of seven large computer systems. These contracts 
25x1Atotal [BBBMMmillion and are to be paid over a multi-year Ja 
25X1Aperiod. To date aa million has been paid on _ these | 
contracts. jo 


35. (S) Whether these contracts are viewed as a lease 
with intent to purchase or as an outright purchase with time 
payments they should be recorded in the accounting system. The 
General Accounting Office's 'Policy And Procedures Manual For 
Guidance to Federal Agencies Title ITI Accounting' (August 
1972), gives the following guidelines for property acquired 
under lease~purchase arrangements: 
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"The total cost shall be capitalized when the property 
is accepted from the contractor or when the option to 
Purchase equipment is exercised, rather than period= 
ically as payments are made or when title passes to 
the Government'. 


‘The cost of property acquired under lease~purchase 
contracts, which in substance represent installment 
purchasing, should include the Purchase price under 
the contracts and related costs incurred by the 
Government", 


"The purchase price included in lease-purchase contracts 


for property, which are in substance installment 


purchases..., shall be recorded as a liability when the 


property is accepted from the contractor or when the 
option to purchase equipment is exercised. Sucha 
liability shall be reduced by periodic payments.' 


We believe for alternate annual payment contracts the option 
to purchase has been exercised at contract signing even though 
Payments are spread out over a period of time. In a separate 
memorandum to the Director of Finance, we are requesting 
action to record the purchase price of the contracts discussed 
above for million in the appropriate general ledger 
account to capitalize the assets. The remaining liability of 
MBM itiion due the contractors should also be recorded in 
an appropriate general ledger account.,' 


_ 3. (U) We request that action be taken to record the 
assets and liabilities as discussed in paragraph 2 above, 
Please advise the undersigned of action taken on this matter, 
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MEMORANDUM FOR: Director, Office a7 Processing 

THROUGH : Inspector General i 

25X1A FROM - pee . 
tet, Audit Staff 7 

SUBJECT : Report of Audit of Office of Data Processing » | 


as of 30 June 1978 (S) 


1. (U) Subject report is attached. Please advise 
this office of action taken on the recommendations con- 
tained in the report. 


2. (U) We appreciate the cooperation extended to | | 
“the auditors during the audit. . 


Attachment 
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REPORT OF AUDIT . 
Office of Data Processing 
as Of 30 June 1978 


SUMMARY 


1. (A/IUO) The Office of Data Processing (ODP) generally 
is carrying out its assigned tasks and utilizing resources in 
an effective manner. Financial controls and procedures are 
generally effective and in compliance with applicable 
regulations. Since the last audit, ODP has developed computer 
Systems which are better designed and more efficient to 
operate and maintain. User involvement has increased but has 
been neither uniform nor complete for all systems under 
development. We believe all major user offices should strive 
for ADP skills improvement and more participation with ODP in 
Systems development for their offices. This report includes 
commments with recommendations where appropriate, concerning 
the following: 


- policy for minicomputers 


~ development of a written disaster recovery 
plan for the computer centers 


- storage of system software backup tapes and 
critical data bases at an offsite location 


- strengthening existing and developing new 
technical security controls for several 
problem areas 


- employment of a full-time administrative 
assistant in the ODP Security Office 


- sanitizing 'scratch' tapes in the Special 
Center 


- reduction in frequency of tape library 
inventories 


~ weaknesses in access procedures for the 
Ruffing Computer Center 


Sse COR Et 
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~ provisior ..r¢ more stringent controls over 
storage and distribution of users' computer 
Outputs 


‘ - monitoring terminal usage 


- strengthening of controls in GIMS II data 
bases 


- improvement in methods for recording time 
purchased hardware and establishing cost 
for systems development 


- strengthening of property controls and 
procedures. 


25X1A 


2. (A/IU0) The audit was conducted under the authority of 

and included a review of procedures and controls 

exercised by ODP in the administration of its share of Agency 
resources. The audit concentrated on: 


- financial controls and procedures 

- logistical controls and procedures 

- administration of project development 
by Applications and Special Projects 
Staff 


- review of missions and procedures of 
the Ruffing and Special Computer Centers 


~ review of security procedures used in ODP 


~ policy on minicomputers,. 


GENERAL 


3. (S) ODP provides centralized computer services to all 
components of the Agency. They Operate two major computer 
centers: the Ruffing Center which serves most general users, 
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and the Special Center which Serves only the Operations 
Directorate and COMIREX Automated Management System (CAMS) 
users, These centers combined own equipment valued at 
approximately million and lease equipment valued .in the 
millions. The Office reviews and coordinates user offices! 
proposals for acquisitions of any computer equipment, 
software, and other services. ODP has an authorized personnel 
ceiling of JMjto accomplish its mission, 


4. (S) ODP's Operating budget for Fiscal Year 1978 is 
summarized as follows: 


DETAILED COMMENTS 


Minicomputer Policy 


a tee ee te eee eee ee 


5. (A/IUO) In January 1978 Opp formulated its policy for 
minicomputer use in ODP and, to the extent ODP can impact on 
it, in the Agency. ODP estimates the number of minicomputer 
applications are growing at a rate of 303 per year. 


6. (A/IUO) In a 15 July 1977 paper to the Executive 
Advisory Group (EAG) titled "Response to Key ADP Issue #3! 
dealing with the question of centralized versus decentralized 
computer facilities ODP identified the following advantages 
which make a decentralized approach attractive: 


~ lower software development cost 
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if applications software already 
exists and is available from 
the equipment vendor 


- data privacy for sensitive applications 


- faster response and possibly 
better availability and reliability. 


7. (A/IUO) Data processing users have recognized these 
benefits and are seeking their own minicomputer facilities for. 
a variety of applications. This decentralization of computer 
resources continues with limited Agency-wide coordination and 
Planning. Such an approach risks failure to apply Agency ADP 
resources efficiently, tolerating inconsistent work standards 
and quality control, complicating training and maintenance 
requirements and reducing the interchangability of 
applications between processors. 


8, (A/IUO) ODP recognizes this lack of central 
comprehensive planning and has previously recommended to the 
EAG that ODP serve as the Agency's central source of technical 
Support and guidance for the selection and maintenance of a 
Standard minicomputer. ODP has formulated an office policy 
consistent with this recommendation to: 


- implement and support standard 
minicomputer hardware and 
software 


- use Agency standard terminals 
in the minicomputer system 
configurations. 


- provide for minicomputers in their 
budget (Customers may be required 
to provide their own machine room 
Or operators or personnel slots 
for ODP operators,). 


9. (A/IUO) Concurrent with the expansion of minicomputer 
capability ODP Management Staff plans to develop costs of 
batch and interactive central System service for use in 
comparing cost of ODP central service versus the cost of 
acquiring and operating an individual minicomputer in meeting 
the demands of a particular proposed application. 


10. (C) The ODP GIMINI Project is an attempt to identify 
minicomputer hardware and operating systems which can support 
GIMS II, the Agency's data base management system for large 
data bases. ODP plans to allow users with sensitive 
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applications, extremely high needs for data privacy or 
response time/availability concerns to isolate their data. base 
On a minicomputer system rather than use the common direct 
access storage the general GIMS user is provided. The same 
GIMS software could be run on both the large central computer 
and the minicomputer, thus easing transferability of 
applications. ODP presently favors acquiring minicomputers 
with operating systems compatible with System 370 to avoid the 
need for extensive conversion of the minicomputer's operating 
System to accomodate GIMS, 


ll. (C) ODP currently has 13 minicomputers: two for 
message switching, one for the GIMINI project, one for the 
CAPER applications and Hospitalization/Insurance, and nine for 
use in the TAD System, ODP requested authority to procure 
three minicomputers of a Standard design in their FY80 budget. — 
This hardware was to be assigned to users applications where 
the cost was justified. The intent was to then maintain one 
Standard design minicomputer for the development of the next 
system and maintenance of the current System. The procurement 
authority requested was rejected in the budget process. This 
action, along with the rejection of two FY80 personnel slots 
ODP has requested to develop and maintain these minicomputer 
has in effect stalled ODP's plans. We believe opp developed 
their plans and policies in a reasonable and responsible 
Manner. We fully concur with oOpDP's position on this matter 
and their recognition of the need for centralized planning and 
control of the proliferation of minicomputer systems within 
the Agency, The importance of an Agency approach to 
controlled growth of minicomputers is most important in the 
efficient and effective management of these vital resources. 


12. (A/IUO) The Deputy Director of Central Intelligence 
(DDCI) in a memorandum ‘dated 26 July 1978, to Executive 
Advisory Group (EAG) members set forth Agency policy with 
respect to continuing FAG involvement in the management of 
Agency ADP resources. This memorandum provides for EAG to, in 
conjunction with its review of the Agency's Program Plan each 
year, specifically focus attention on the proposed functional 
uses of ADP and on major ADP investments. We believe ODP's 
Plan for an Agency minicomputer policy is of such timeliness 
and importance that it should be considered by the EAG, 


RECOMMENDATION #1: Present ODP's minicomputer 
Support plan to the EAG for its consideration 
within the framework of the annual review as 
directed in the DDCI meomorandum cited above, 
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Provisions for a Disaster Plan 


13. (A/IUO) The Purpose of a disaster plan is to minimize 
the magnitude of service interruption in an emergency 
Situation. Currently ODP does not have a written or tested 
disaster plan. Engineering Division has the general 
responsibility for recovering from a disaster, This is 
primarily a technical approach i.e. replacement of hardware, 
cables, and physical plant. The area that reguires extensive 
attention is the identification of applications critical to 
the Agency's missions. Areas such as alternatives to 
processing by computer and what can be run on non-Agency 
computers should be investigated, 


14. (A/IUO) The complete spectrum of ADP requirements 
needs to be reviewed and prioritized. The results should then 
be matched against the Agency's capability to provide these 
services in the event of a disaster to one or both computer 
centers. Alternative processing sites should be identified 
‘and the entire disaster recovery plan should be maintained in 
a current status and tested periodically to validate its 
effectiveness. 


RECOMMENDATION #2: Review and prioritize the 
Agency's emergency ADP requirements and develop 

a written disaster recovery plan that adquately 
provides support in the event of a disaster, 

Also provide for current maintenance and periodic 
testing of the plan after development. 


Offsite Storage Requirement 


SS we em me ee See ye ede ee 


15. (S) Backup copies of Opp System software and critical 
data bases i.e, CAMS are not stored at an offsite location. 
One can reason that equipment can be eventually replaced but 
system software and databases that are destroyed without 
backup provisions could be lost forever. Storing both the 
working and backup copies in the same area does not provide 
adequate safeguards against potential catastrophe. The most 
common measure taken to provide records backup is to store 
copies in an offsite location. Oo 


16. (S) Once the backup program is established, it is 
essential to maintain and test it. Having a test team solve 
actual operational problems using the stored vital records 
will assure management the program does work, 
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KCCOMMENDATION #3: Store system software backup 


tapes and copies of criti bases in the 
5X1A and/or exchange 
= . etween the two computer centers. The. 


Stored backup records and programs should also be 
Currently maintained and periodically tested to 
determine their operational readiness. 


Technical Security 


ee ee me ee ee ee ee ey 


17. (S) ODP has identified a list of potential security 
problems with a majority of these items still unresolved. A 
partial listing of these items are: 


- a ‘Who are You' identification code to 
determine if proper authorization has 
been obtained before allowing access to 
Gata on VM, GIMS, and COMTEN 


~ Z Tapes (other government agency tapes) are 
released without controls to assure that the 
receiving person is authorized to receive 
the tape and that the tape does not contain 
data other than the users 


~ residual data remains on disk data sets when 
released thereby becoming accessible to the 
next user 


~ unauthorized users can, by learning data set 
names, access data sets other than their own 


- no controls over Systems and Applications 
programmers to prevent fraudulent or other 
misuses of systems and data bases 


- listings containing Systems dumps are reimoved 
from the computer center without a formal 
determination being made of the classification 
of the data listed 


- no audit trails of abortive attempts to link 
to M=-Disk or logon (sic) the systems 


- inadequate security control over the printing of 
classified data on remote printers in customers 
locations. 
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18. (A/IUO) Also, there are some other areas where 
internal controls need to be strengthened: 


- during the evening shift in the Special Center 
and the weekend shifts in the Ruffing Center 
the computer operators have access to the tape 
library and can remove and use tapes without 
recording their use 


- no scheduled rotational/segregated duties 
exist in the centers i.e. operators are 
used as library and point workers during 
the same shift 


~ when systems and applications software is 
modified there is little detailed aocumentation 
of the steps used during testing and/or the 
authorization for the changes; additionally 
there is no documented evaluation of the 
potential side effects of the changes on 
the operating environment 


~ there is inadequate compliance with the 
procedures for security classification 
labelling on data outputs from VM and 
Batch. 


Because of the sensitive nature of the data processed in the 
Agency, stringent security controls are essential, These 
controls, if they are to be effective, may be difficult to 
implement and prove to be encumbering to those who must work 
within them, 


19, (U) There are several alternatives to be considered 
in strengthening controls in the areas mentioned. They range 
from accelerated polygraphing of key personnel to a thorough 
and effective control package which may be operationally 
restrictive, The ODP security officer should address the 
security implications in these areas and determine if there is 
a threat. If, after evaluation, the need is apparent ODP and 
the Office of Security (OS) should concentrate the required 
resources to bring these areas under better control, 


RECOMMENDATION #4: Determine methods for better . 
controls in the areas mentioned. Coordinate 
this study with the Office of Security. 


SECRET 
Approved For Release 2001/08/14 : CIA-RDP81-00142R000100030003-8 


"Approved For AD se 2001/08/14 : CIA-RDP81-00142R§ 100030003-8 


20. (C) ODP and the Office of security in May 1977 
established an ODP/OS Working Group to identify, oversee, and 
provide recommendations to resolve these technical security 
risks, However, these problems still persist partly because 
there isn't a full-time team or individual to actively pursue 
and resolve these identified areas. 


21. (C) The current opp Security Officer (SO) is 
principally involved with day to day adminstrative 
reguirements, ie, obtaining access indicators to the computer 
centers and initializing ODP related security clearances. This 
leaves little time for technical security problems, 


22. (C) ODP stated during the previous audit that they 
were in the process of Obtaining a full-time technical So, 
This has not been accomplished. The justifications given were 
increases in: 


~ ODP personnel and applications 

- project sensitivity 

- complexity of the operating environment 
- compartmentation, 


The obtaining of this SO was resubmitted for the FY80 budget. 
This slot was rejected as part of the budget process. The 
current SO has a part-time ODP adminstrative assistant to 
handle some of the paperwork. Converting this part-time 
position to full-time would allow the SO to devote nore of his 
efforts to technically related computer security problems, 


RECOMMENDATION #5: Consider converting the current 
part-time adminstative assistant to a full~time 
position. In addition, formally request technical 
security assistance from the Office of Security to 
assure proper attention to these technical security 
problems, 


Release of Scratch Tapes 


a a ee cm cr ee te iy ee ey 


23. (S) Currently Special Center magnetic tapes released 
to 'scratch' status (tapes made available to another user), 
are not sanitized. The data left on the tapes by the previous 
user is potentially available to the next person using that 
tape. In the Ruffing Center ‘scratch! tapes are sanitized via 


J 
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the Data Erase process. Data Erase tapes do not have to be 
reinitialized (internal labeling) which reguires computer 
Operator assistance, The Data Erase process reduces the 
possibility of exposure of data tO unauthorized users. It 
takes approximately two to three minutes to Data Erase one 
tape. The Ruffing Center is on the Tape Management System 
which effectively identifies the magnetic tapes to be Data 
Erased. The Special Center tape library will soon be 
completely converted to the Tape Management System (TMS). 
With TMS regulating the flow of tapes to be 'scratched' and 
the relatively short time it takes to Data Erase, the 
disruption of the library's operating routine should be . 
minimal. 


RECOMMENDATION #6: Use Data Erase to Sanitize all 
magnetic tapes that are to be used as ‘scratch’ 
tapes in the Special Center, 


Inventory of Tape Library 


LS ee a ee ee ore oy me pp ee ee 


24, (A/IUO) A 1008 inventory is done every three months 
in the Ruffing Center and every two months in the Special 
Center. Because both centers have exceptional records of 
resolving all discrepancies that do rarely occur we suggested 
that a semi-annual inventory would be adequate for both tape 
libraries. This would each year save approximately 200 hours 
of overtime paid to the inventory participants. It was also 
Suggested that all participants and the center manager sign 
the inventory memo to add credibility to this document. During 
the non-inventory months the librarian should continue 
identifying overdue tapes for ODP Security Officer 
intervention. Both centers have agreed to implement the above 
procedures, 


Access to Computer Centers 
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25. (A/IUO) ODP recently obtained additional Headquarters 
space for the planned collocation of the 'points' (user pickup 
and servicing areas), Estimates for the date of the 
relocation ranged from late FY79 through FY81 to not at all, 
The recommendations in the next three paragraphs are intended 
for interim action until the final location and configuration 

of the 'point' has been determined. 


' 


” 
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26. >. Durins ur review of the centers we observed a 
large num: of pers :nnel entering the Ruffing Center. The 
number of mnon-Ruffing Center personnel with 'E' access 
indicators seems to be excessive. ('E' indicators are for the 
Ruffing Center and 'B' indicators are for the Special Center). 
The current practice of granting access by component rather 
than by individuals daily need is questionable. Both computer 
centers' managers stated that they have begun reviewing the 
individuals' requirements for access. The Special Center has, 
by their review, indentified [people who no longer need 
automatic access, [BBBBBMof which have already had their 
indicators removed. The Ruffing Center should identify those 
who no longer need automatic access and submit their names to 
the ODP Security Officer for removal of their 'E! indicators. 
Personnel with infrequent need can use a no escort badge, 
effectively reducing the amount of casual traffic in the 
center, 


RECOMMENDATION #7: Continue to review the need 
for 'E' Ruffing Center access indicators for non= 
center personnel and expand the usage of no escort 
badges for infrequent users, 


27. (C) Access to the Ruffing Center is monitored by the 
person manning the tape reception area. This individual has 
Other duties which makes it difficult to visually monitor the 
doors at all times, To improve the situation ODP has 
rearranged the furniture to block the direct path to the 
computer room. This is a step in the right direction but an 
enhancement to this control is to install a remotely activated 
gate, This gate would require individuals entering to be 
visually observed and their need for access established. Once 
admitted past the gate they would have access to the work area 
of the 'point', library and computer room. This would permit 
the center's personnel to do their job without exiting the 
controlled area. 


RECOMMENDATION #8: Install a remotely controlled 
access gate in the Ruffing Center 'point' area to 
limit unchallenged entry to the computer room. 


28. (C) ODP is in the process of investigating different 
devices to provide a secure user pickup and data control. The 
leading candidate thus far is a badge operated mailbox system. 
The coded Agency badges would restrict an individual's access 
to predetermined mailboxes. However, this secure mailbox 
System is not planned for implementation until the new ‘point' 
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has been cated. Cuirxcently ODP is using as a control tear off 
sheets f--: each users listing. The user Supposedly signs them 
when he wicks up his output, The ‘point’ personnel have no 


knowledge of who is authorized to receive particular outputs 
or even if the tear off sheets were signed by the user. Any 
badged personnel can ask for listings from almost any output 
bin and receive them regardless of whether he has’ the 
authorization to receive such information. The Ruffing Center 
typically collects one box of tear off sheets each day and 
then forwards these sheets to a «° storage in archives, 
The intended purpose of having e tear off sheets was to 
control who picks up_ the Output by having an ODP operator 
confirm that each listing is signed for. Due to. the volune 
plus the operator's regular duties this has not been 
effectively or efficiently done. To date there have been no 
requests from the users to recall any of these sheets to 
determine who received a listing. 


RECOMMENDATION #9: Establish more stringent 
controls over users receipt of data from the 
‘point’ in the Ruffing Center, 


Monitoring Terminal Usage 


29. (A/IUO) We observed that some users were signing on 
to terminals but were not using then for periods of over a 
half hour. This inefficient usage could prevent other users 
from accessing the systems due to the limited number of 
terminals which can be signed on simultaneously. Allowing a 
terminal to be signed on but not in use could be a security 
risk, potentially permitting unauthorized users access to the 
systems, 


30. (A/TUO) Engineering Division (ED) prepares a computer 
generated report of terminal usage, primarily used to optimize 
the system configuration. ED can provide these reports to 
determine which terminals are not effectively being used. We 
provided the ODP Security Officer with this information, 


RECOMMENDATION #10: Provide terminal usage 
reports to appropriate ODP Management person- 
nel for monitoring efficiency and security 

of terminal usage. 
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Improved Controls in Gims=II Data Bases 


— ee er eee eee ee ye ee 


31. (A/IUO) In one instance we found-an inadaquately 
tested change to a GIMS-II production data base causing loss 
of data intregity. In an attempt to prevent another occurence 
of the problem we discussed with appropriate ODP personnel the 
need for user approval of system changes to assure data base 
integrity. 


32. (A/IU0) ODP Data Access Center (DAC) personnel are 
now in the process of establishing procedures to control 
changes to GIMS-II production data bases. Included in these 
procedures will be requirements for; 


~ testing or reviewing test results by the users' 
Data Base Manager 


- written notification from the ODP Application's 
Project Manager to the DAC of any change to the 
GIMS-II production data base: 


- written document from the DAC to the user and the 
Application's Project Manager when the change 
is installed 


~ documentation of all changes catalogued in the 
Central Library of Production Division 


~ documentation of emergency changes within 48 hours. 


These procedures will also help avoid unapproved changes and 
make the customer more cognizant of the impact of changes on 
the system, ODP can continue their efforts to assure data and 
processing integrity in all systems they develop or maintain 
by strictly enforcing these procedures. 


i 


RECOMMENDATION #11: Complete development 
and implement procedures to control systems 
changes. 


Agency Assets and Liabilities Understated 


33. (S) The general ledger account 1723, Property in 
Use~Other, values ODP property at million. However, the 
eventual total cost of owned equipment currently in the two 
computer centers will be million, The discrepancy between 


1" 
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the actual value of owned equipment and the amount currently 
Shown in the general ledgers is due to the current policy of 
not recording the cost of equipment until it is completely 
paid for. ! 


34. (S) The Agency has alternate annual payment contracts 

with the International Business Machines Corporation (IBM), 

and several third party leasing firms for 

€ purchase of seven large computer systems. These contracts 

total [FEBBMMMmillion and are to be paid over a multi-year 

period. To date PE tillion has been paid on these 
contracts, 


35. (S) Whether these contracts are viewed as a lease 
with intent to purchase or as an outright purchase with time 
payments they should be recorded in the accounting system. The 
General Accounting Office's ‘Policy And Procedures Manual For 
Guidance to Federal Agencies Title II Accounting' (August 
1972), gives the following guidelines for property acquired 
under lease~purchase arrangements; 


‘The total cost shall be capltalized when the property 
is accepted from the contractor or when the option to 
purchase equipment is exercised, rather than period= 
ically as payments are made or when title passes to 
the Government’, 


"The cost of property acquired under lease-purchase 
contracts, which in substance represent installment 
purchasing, should include the purchase price under 
the contracts and related costs incurred by the 
Government'. 


‘The purchase price included in lease~purchase contracts 
for property, which are in substance installment 
purchases..., shall be recorded as a liability when the 
property is accepted from the contractor or when the 
option to purchase equipment is exercised. Sucha 
liability shall be reduced by periodic payments.' 


We believe for alternate annual payment contracts the option 
to purchase has been exercised at contract signing even though 
Payments are spread out over a period of time. In a separate 
memorandum to the Director of Finance, we are requesting 
action to record the purchase price of the contracts discussed 
above for million in the appropriate general ledger 
account to capitalize the assets, The remaining liability of 

million due the contractors should also be recorded in 
an appropriate general ledger account. 
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Identify ADP ice eu and System Development Costs 


36. (U) There is increasing Office of Management and 
Budget (OMB) and Congressional interest in the management and 
use of ADP resources. A recent report to the Congress by the 
Comptroller General, "Accounting for Automatic Data Processing 
Costs Needs Improvement! (February 1978), states: 


‘It is essential to keep costs accurately for data 
processing systems and organizations, as in any 
Other department. Reliable cost data is practically 
indispensable in making sound decisions on whether 
to get needed services through procurement from 
commercial sources or to perform them in-house,.' 


The report goes on to explain the benefits of cost data: 


‘With good cost accounting and reporting, management 
can have complete and consistent cost information 
quickly and economically. This should enable them 
tos 


= compare costs among organizations, activities, 
operations, and projects; 


- make informed investment decisions by: 
(1) estimates of the cost of implementing 
proposals for new systems and facilities, 
(2) preparation of cost-benefit analysis, and 
(3) cost comparisons with commercial and other 
alternatives; 


~ establish the cost of work done and measure 
productivity; 


- measure the cost of Per SOEnence of responsible 
officials; 


- make end users and top management conscious of 
the cost of data processing systems and 
services; 


- provide the accounting basis for proper 
charging of appropriation, allotment, and 
program accounts as well as the billing for 
intra- and interagency services; and 
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“provide the accounting basis for budget 
justifications and reports to Congress, OMB, 

GSA, and the public on the cost, custody, 

a and use of the automatic data processing. 

resources entrusted to them.' 


37. (U) ODP provides a complete range of data processing 
services, from helping users collect requirements to 
processing and maintaining applications after implementation. 
ODP distributes the Project Activity Report (PAR) to inform 
customer management of the value of services used each month. 
The value or cost of ADP services allocated. to a project are 
based on computer usage and ODP man-hours. This report is 
also used by ODP management to respond to requests from the 
EAG, OMB, and other oversight committees. Knowing the value 
of ODP services is of interest to users who track and control 
the growth of their use of ADP resources, But the PAR is 
misleading when used to report project costs to the OMB or 
congressional committees, Computer usage costs are calculated 


using 1972 unit cost statistics. Also, the customer's 
man-hour and some contractor costs are not included in project 
costs. 

385 (U) A recent GAO publication, ‘Illustrative 


Accounting Procedures for Federal Agencies’ (1978), recommends 
the capitalization of major ADP systems and applications 
systems whose acquisition or development costs in excess of 
$100,000. The acguisition or development costs should 
include; 


- The price of purchased software and the estimated 
useful value of software obtained by other means, 
including the cost for preoperation modifications, 
conversions, testing, and documentation, 


- Salaries and benefits for agency staff and 
compensation of contractors and other Government 
personnel for developing new software and modify- 
ing software obtained through other means. This 
would include expenses for analysis, design, 
programming, documentation, testing, and conversion. 
It would also include expenses for preparing the 
computer operating instructions, user procedures 
manual and other documentation. 


- Computer operating costs for testing, debugging, 
and parallel processing. 


39, (U) This same GAO report published the results of a 
survey of 26 Federal organizations providing data processing 
services, Twelve of the 26 capitalized their hardware, and 


‘ 
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ten of these Capii:iized their owned operating software. None 
of the Organizations surveyed capitalized their owned 
applications software. 


40. (S) During 1977 ODP presented 21 major application 
Systems to the EAG for review. ODP estimated development and 
operating costs for these systems would consume over $42 
million in ODP resources. These estimates do not identify 
accurately ODP development costs nor do they include the 
users' costs. Information about expenditures of this 
magnitude, particularly when requested by oversight 
committees, must be accurate and timely. At this time, we do 
not recommend capitalization of operating or applications 
software; however we do believe cost accounting procedures 
must be developed to identify the cost of these systems as if 
they were to be capitalized. ODP has initiated an internal 
office requirement to study this problem and obtain outside 
contractors assistance in upgrading their current cost system. 


RECOMMENDATION #12: Continue efforts to update cost 
accounting procedures to accurately and completely 
identify the current cost of ADP computer systems 
software, 


\ 


Property Procedures 


41. (A/IUO) A complete physical inventory of Type ITI 
Property has not been conducted since 30 June 1975. A partial 
inventory was taken at the time the current Logistics Officer 
assumed accountability on 19 July 1976. Existing Consolidated 
Memoranda of Receipt are two or more years out of date and no 
longer reflect the current physical disposition of ODP 
property particularly office equipment. ODP has begun an 
intensive effort to revise and correct ODP property accounting 
procedures, They have requested and received Office of 
Logistics agreement to provide assistance to jointly solve 
their property accounting problems. 


RECOMMENDATION #13: Continue the coordinated 
effort with the Office of Logistics to jointly 
solve ODP's property accounting problems. In-= 
sure that a complete physical inventory is 
conducted in accordance with x Doc- 
ument any descrepancies revealed as a result of 
the inventory as prescribed by the regulations. | 
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42. (A/IUO) Recording of Type II Property transactions in 
Many instances lags too far behind actual receipt of the 
property. Part of the problem lies in the delay in forwarding 
receiving reports from the Support Staff to the Logistics 
Officer. In addition, the Logistics Officer is not always 
recording documents on a timely basis. 


RECOMMENDATION #14; Take actions required to 
assure recording of Type II Property transactions 
on a more timely basis. 


43. (A/IUO) Duplicate automated and manual systems exist 
to record financial and technical information about hardware. 
Support Staff enters puchase prices or the monthly rental 
payment amount into both Engineering Division's Engineering 
Management Information System (EMIS) and into their own 
purchase, lease and maintenance contract files. In addition, 
Environment and Configuration Management Branch maintains a 
manual file of utility and technical requirements of each 
hardware item. Supporting redundant data bases consumes 
resources and delays information flow between all participants 
in equipment transactions. Inconsistencies exist between 
systems. 


RECOMMENDATION #15: Determine the present capa- . 
bility of EMIS to serve as a central data base 

for all hardware transactions, both engineering 
and financial. Identify the information needs 

of various components and determine whether EMIS 
can be enhanced to the point where it satisfies 
the needs identified. If EMIS is enhanced research 
and verify to supporting documentation any missing 
data. Consider recording ODP's office equipment 
on the data base in addition to currently listed 
Major hardware items, 


“44, (C) The Budget and Finance group of Management Staff 
is not able to validate the balance of their unliquidated 
obligations. The Encumbrance Activity Report continues’ to 
show as open requisitions those which have been filled and 
paid by the Agency. This problem arises outside of ODP's 
control and is likewise a problem for other. offices. We will 
address the issue further in our audit of. the Office of 
. Logistics. 


18 
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Report of Audit of ODP 


DD/A 78-3584/2 
Executive Officer/DDA 


Mr. May 
Director/ODP 


VIA TUBE 


Danny : 


I am sure you recall seeing 
the Audit Staff Report request 
that Agency assets and liabili- 
ties in the ADP field should 
be recorded differently so as 
not to be understated. I re- 
call asking you some time ago 
if this gave you any trouble 
and you responded that it would 
not. 
To close the loop, I thought 
you might be interested in 
Tom Yale's response to the 
Audit Staff showing why a change 
in recording assets and liabili- 
ties should not be made, ptij7) 


Att 


Distribution: 
Orig ~ Mr. May w/att 
1 - DDA Chrono 
it - DDA Subj 
1 - RFZ Chrono 


EO/DDA;se 21 Nov 78 
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SUBJECT: (Optional) 


Report of Audit of the Office of Data Processing as of 30 June 1978 


FROM: Thomas B. Yale EXTENSION 
Director of Finance 
1212 Key Bldg. 


pare §-2.4 OCT 1978 


to whom. Draw a line across column after each comment.) 


, \ 
Pa 


TO: (Officer designation, room number, and 
building) COMMENTS (Number each comment ta show from whom 
gee 
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